The Common Vulnerabilities and Exposures (CVE) system – the global standard for naming and cataloging software vulnerabilities – has recently struggled with resource constraints and long-term funding. CVE is a critical program that allows researchers, vendors and organizations worldwide to refer to the same disclosed vulnerability in a consistent, standardized way and is essential for defending our digital infrastructure.

‍

ITTC Advisory Board member and R Street Institute Senior Policy Director for Technology and Innovation, Mark Dalton, recently penned an analysis titled, Hidden Infrastructure: Why CVE Funding Is a National Security Imperative which argues that the program is critical for security teams and governments to speak the same language and act together. Without stable funding and universal adoption, the system risks fragmentation, weakening our collective cyber-defense and posing a national-security threat.

‍

Dalton argues that we must: 

• Treat CVE funding and governance as a U.S. infrastructure investment.
  
  
• Maintain global, neutral, and universally adopted identifiers, rather than allowing fragmentation to upend an already chaotic space.
  
  
• Ensure the program remains transparent in funding, resilient, and scalable as cyber threats rise. 

‍

“Providing a reliable source of funding to sustain CVEs should be among the easiest cybersecurity policy decisions to make. It requires modest, well-defined resources; enjoys broad stakeholder support across industry and government; provides clear, measurable value; and represents limited government’s ability to perform a core coordination function effectively.”

‍

Read the full analysis below.

‍

READ IT HERE

‍